Public Bill Committee

[John Bercow in the Chair]

Clause 63

Disclosure of information to prevent fraud

Douglas Hogg: I beg to move amendment No. 154, in clause 63, page 33, line 26, at end insert—
‘(1A) No disclosure may be made under this section until the Secretary of State has published a Code setting out the terms of any arrangements under subsection (1), above.
(1B) No Code shall be published under subsection (1A) until a draft has been laid before, and approved by a resolution of, each House of Parliament.’.

John Bercow: With this it will be convenient to discuss the following: Government new clause 11 —Code of practice for disclosure of information to prevent fraud.
New clause 12—Role of Information Commissioner—
‘(1) Section 51 of the Data Protection Act 1998 (c.29) (general duties of the Commissioner) is amended as follows.
(2) In subsection (7), at the beginning insert “Subject to subsection (7A),”.
(3) After subsection (7), insert—
“(7A) The Information Commissioner may, on his own initiative, assess any data processing conducted under sections 63 to 67 of the Serious Crime Act 2007.”’.

Douglas Hogg: I shall speak to amendment No. 154, Mr. Bercow, but you will forgive me if I refer also to new clause 11, which has somewhat the same effect.
Before I begin, may I congratulate my hon. Friend the Member for Rugby and Kenilworth on becoming an Opposition Whip? I happened once to be a Government Whip, and it was the nastiest job I’ve ever had.

Crispin Blunt: I wish to put it on record, Mr. Bercow, that my right hon. and learned—and, indeed, noble—Friend was one of the most outstanding Government Whips; his record in the Whips Office was exemplary for collective responsibility and discipline in the parliamentary party. That, however, is enough of a diversion.

Douglas Hogg: I was the worst Whip there has ever been, and I had great contempt for those who did what I told them to do—but enough of that. None the less, I congratulate my hon. Friend on his promotion; I am pleased for him, and he deserves it.
You will remember, Mr. Bercow, that I have been busily expressing my opinion at some length on many clauses. Although I have relatively little knowledge of the prevention of fraud or of the data exchanging provisions, I nevertheless smell a rat when I see one. It is plain that the powers being taken under part 3 are extensive, as they include substantial provisions on information exchange. I acknowledge that the objective—to prevent fraud within Government Departments—is entirely benign, but as I have said before on many occasions, all power, once given, is abused. It is therefore right that the Committee and the House should look carefully at what is proposed.
At the moment, the clause deals exclusively with executive decisions, namely, arrangements for the exchange of information between designated organisations; but no provision has been made for the parliamentary supervision of that process. Amendment No. 154 would make provision for a scheme to be laid before Parliament for its approval, so Parliament would at least have the opportunity to consider the scheme of which the Government conceive, and it would have the opportunity also to approve or disapprove the same.
I suggest that the amendment offers a sensible way forward—indeed, so sensible is it that that the Government have tabled new clause 11, backed by new clause 12. It is always churlish not to welcome an erring sinner when he returns to the flock. I would have some difficulty should the hon. Member for Grantham and Stamford (Mr. Davies) seek to do so, but although it is likely it has not happened yet. The Minister has shown a desire to follow the kind of thinking that I have outlined, and I welcome his attempt. However, it is not sufficient.

James Brokenshire: The one point I draw to the attention of my right hon. and learned Friend is that new clause 12 is an Opposition amendment. I understand that it has not yet been accepted by the Government, but I look forward with great interest to the Minister’s response to the debate. New clause 12 highlights the need for oversight and scrutiny, which will be dealt with in more detail in due course.

Douglas Hogg: I apologise to my hon. Friend. No doubt he will wish to speak to new clause 12. I was focusing on Government new clause 11.
My scheme contemplates the laying of a code before Parliament, to be approved by affirmative resolution. There quite a lot of precedents: the most important, to my knowledge, is the PACE code made under the Police and Criminal Evidence Act 1984. That code is perhaps more far reaching in its consequences than the code of practice on disclosure, as it regulates the actions of police forces right across the board, but although the PACE code is of greater moment, the code of practice on disclosure is important. The Government recognise that by saying that the code of practice should be published. The difference between the Government’s position and mine is that under the Government new clause, although the code is laid before Parliament, is not the subject of a necessary debate, far less a vote in Parliament.
One has to ask: other than making the terms known, what is the point of laying a code before Parliament unless Parliament has a very obvious opportunity to debate it? In theory, it is always possible to bring matters before Parliament by way of Adjournment debates and motions on this and that. The great advantage of my proposal is that the code has to be debated because it cannot become effective without the affirmative resolution of both Houses.
I hope that, on reflection, the Government will conclude that although my amendment omits things that they would like to see—and I am not saying that the language that I have used should be set in concrete—there is merit in the concept of a code being published and subjected to Parliamentary debate and vote and thus scrutiny. If the Government were to accept that, and it is little more than what they are doing, I would be content. We are dealing with parliamentary sovereignty, and that is a matter the Prime Minister makes a great song and dance about and tells us what a convert he is—I must say the mind boggles at that considering what a control freak he has been for the past—I am sorry, Mr. Bercow! Remembering your previous injunction, may I come in your direction?
As I was saying, as the Government are committed to transparency and parliamentary sovereignty, I look forward to hearing that there will be a sudden manifestation of that and that my new clause will be accepted.

James Brokenshire: I welcome you to the Chair again, Mr. Bercow. I echo the comments made by my right hon. and learned Friend the Member for Sleaford and North Hykeham in congratulating our hon. Friend the Member for Rugby and Kenilworth. I hope that he enjoys his new responsibilities and challenges, and I hope that I will not need to be kept in order by him on too many occasions.
It is a pleasure to follow on from my right hon. and learned Friend, given the way he expressed his concern about this provision. We are now talking about part 3 of the Bill, which deals with data sharing and data mining—

Vernon Coaker: I am sure that the hon. Gentleman meant to say data sharing and data matching.

James Brokenshire: I am being picked up early in the morning, but I know that data matching can also be construed as data mining. I hope that the Minister will assure us that it is the matching rather than the mining activity that we are debating, given that that is clearly a matter of concern, rightly expressed by various people outside the House.
My comments will be wide ranging and extended. I make them in the full knowledge of their likely impact on the likelihood of a stand part debate. It is appropriate to do that to understand the context of the clause and how the amendments sit within it, so that we can better appreciate the appropriateness or otherwise of the amendments in the group.
In large measure, the provisions contained in clause 63 and the next few clauses relate to the need to combat fraud. It is important to note that a report for the Association of Chief Police Officers economic crime portfolio, published in February, estimated that all types of fraud cost the United Kingdom economy at least £14 billion, and that
“it would be surprising if the ‘true total’ was not much larger than this.”
The report estimates that in 2005 £2.75 billion was lost through fraud against private individuals, and says that a conservative estimate of national public sector fraud losses is £6.4 billion, but the total could be much higher given that that figure excludes tax fraud.
The Government are right to consider appropriate mechanisms to crack down on fraud, given its scale and the impact on the economy and on individuals that those figures indicate. Sharing information on fraud is an obvious part of that effort. This debate is about how that should be done and what protections must be maintained to ensure that such information is not misused, misapplied, or used in a manner other than that which is contemplated by the Government. We must reassure those inside and outside the House who are concerned about the use of personal data that we will ensure that there is no creeping extension of powers without proper consideration on how and why we share and analyse such data.
Information sharing to prevent fraud has been happening for some time in the private sector. The most obvious example of how that works is the Credit Industry Fraud Avoidance Scheme—the United Kingdom’s fraud prevention service. CIFAS is an independent, not-for-profit company limited by guarantee that allows its members to exchange information on applications, accounts and insurance claims that have been made, or are being used, fraudulently. CIFAS comprises some 260 organisations, spanning asset finance, insurance, banking, retail and the telecoms sector. I mention it specifically because it has been given as an example of an organisation to which it might be appropriate to extend the powers set out in clause 63—one with which the Government or public authorities might wish to share information.
Against the backdrop of a private sector that includes CIFAS and other organisations that make it possible to share information to combat fraud, and given that somebody intent on defrauding his bank, phone company or insurance company might also seek to defraud the Government, it is appropriate that the Government consider how similar approaches could be applied in the public sector. However, there are significant risks involved in widening the ambit of data sharing to the public sector. The Law Society has two principal concerns about the proposals. It says,
“Much existing data is of poor quality. If poor quality data is more widely shared across the public and private sectors then inefficiencies will be created. More worryingly, records may be flagged with a suspicion of fraud or inappropriate and intrusive fraud investigations initiated. We are concerned about the sharing of information by the private sector with public sector bodies which may expose individuals to the risk of unacceptable consequences in their private lives, not on the basis of proven criminality but instead based on mere suspicion.”
The Law Society has highlighted the potential for misuse caused by the wide-ranging nature of the clause. According to subsection (2)(a), the information that may be provided may be “information of any kind”.
The Minister might say, in response to the debate, that the clause is restricted by compliance with the Data Protection Act 1998. However, there are issues about how that applies and whether it is made clear when someone is providing information to a public authority that such information could indeed be shared with third parties for the potential investigation of unlawful activities. If that is made clear and someone provides information to a public authority in such circumstances and it is stated that it would be shared with other bodies, the Data Protection Act would have been complied with. While the provision gives some protection, it does not necessarily go all the way.

Kali Mountford: I am listening carefully to the hon. Gentleman, but is there not a problem with the balance between the protection of the individual that he is concerned about, and the protection of the general public, who I am concerned about? They might be worried that the amount of fraud growing in our society and impinging on their rights to be protected may mean that they will not be so protected if we go down the route referred to by the hon. Gentleman.

James Brokenshire: The hon. Lady is being premature and a little harsh by suggesting that I am siding solely with the individual and not taking account of the wider implications of fraud prevention. That is why, at the outset of the debate, I talked about setting the context and framework. I acknowledged that data sharing already operates within the private sector and protects individuals. It ensures that fraudsters cannot operate with impunity. The hon. Lady and I are making the same point about a question of balance and proportionality. I hope that, when I develop some points in further detail, she will recognise that I, too, am talking about understanding the provisions fully and ensuring that they contain an appropriate balance and reasonableness that counter the hon. Lady’s rightful point about the need to ensure that we take a robust approach to fraud. We must also ensure that they do not have a wider application other than fraud prevention, and that they can be enforced and ring-fenced. I am not denigrating her comments. Indeed, we probably share a lot of common thought and it is the question of balance that we need to understand fully.
When the Minister replies, I hope he can explain to the Committee in detail how the Government envisage the operation of the data sharing scheme, so that we can understand it properly. We want to put in context what is envisaged to see whether the provisions reflect that intention and aspiration or whether they would go further than might be appropriate or necessary to achieve the Government’s aims. Is it intended to follow something akin to the CIFAS model, whereby members, having satisfied themselves in accordance with the CIFAS code that a fraud has been committed, can flag up the details of a potential fraud so that other members are aware of such incidents? Or is a much broader sharing of information envisaged, and not limited to the entry of specific incidents that can then require further investigation?
That is the CIFAS model, and at meetings CIFAS has made it clear to me that the aim is to flag up something for further inquiry rather than to have a watch list that would be of concern given its impact on an individual in such circumstances. Let us contrast that with informing its members of a potential issue that requires further and detailed examination and analysis to confirm the robustness and the relevance of the information to the particular consideration with which the person might be confronted. In any event and because of the breadth of the current drafting, I believe that further safeguards are required.

Jeremy Wright: I thank my hon. Friend and my right hon. and learned Friend the Member for Sleaford and North Hykeham for their kind congratulations to me.
I want to ask my hon. Friend the Member for Hornchurch not only about the range of organisations to which information may be disclosed, but the particular types of information. Does he agree that it would be helpful to limit the fields of information that are supplied to those that are needed for the relevant purposes, so that extra information about individuals is not disclosed unnecessarily?

James Brokenshire: My hon. Friend illustrates the importance of having a clear understanding of what we are talking about. For instance, CIFAS has a limited number of fields that are focused on measuring the nature of the fraud. They allow certain information to be used by CIFAS members to facilitate follow-up and further inquiries when someone has been flagged up as having committed a potential fraud. A CIFAS member has to be satisfied that a fraud has been committed on the balance of probabilities and on the basis of certain tests that comply with the code. The robustness of the code, and ensuring that it is complied with, are therefore important in ensuring that the code does what it says. There has been discussion about whether CIFAS might need to extend the number of fields.

John Bercow: Order.

James Brokenshire: I will give way.

John Bercow: The hon. Gentleman is not giving way. I am genuinely sorry to interrupt him, but I remind him to address the Chair. I understand that he is trying to respond to the point made by his hon. Friend the Member for Rugby and Kenilworth, but he must address the Chair and the Committee.

James Brokenshire: I would never wish any offence.

Douglas Hogg: What?

James Brokenshire: I would never wish to cause offence, despite any encouragement otherwise from other Committee members. I shall address my future comments to you, Mr. Bercow, even if they relate to remarks by other hon. Members.
The point that I was making was that it might be necessary to expand the number of database fields in which CIFAS currently operates. That might be entirely appropriate, fair and reasonable to the operation of the envisaged scheme. There is a lot of detail on the approach and the application of the scheme that is not currently before us. I hope that the Minister will therefore give at least some explanation of the intentions behind the provisions, because that would assist the Committee in assessing the clause and the related amendments.
I am pleased that the Government have introduced new clause 11, which provides for a code of practice to govern the sharing of information by public authorities as members of a specified anti-fraud organisation. The amendment raises at least three important questions. First, who will monitor compliance? The Minister will be aware that there was a debate in the other place on the need to ensure that the Information Commissioner would have clear authority to conduct investigations to assess compliance with the clauses in this part of the Bill that concern sharing and matching of data. That is reflected in the drafting of new clause 12, which the Opposition have tabled.
If we are to have comfort that the clause as amended by new clause 11 will provide protection, we have to know that there will be a mechanism to monitor compliance and apply sanctions in the event of breach. The issue is too serious to leave to chance. The Information Commissioner has made it abundantly clear on a number of occasions that he believes the best solution is to put a specific and express power in the Bill. In his letter to the Minister dated 15 June 2007, which the Minister kindly made available to Committee members, he said:
“I am content that the new code of practice will give me access to audit and inspect information-sharing done under the new powers. As you know I would have preferred something on the face of the legislation about this. However, I am satisfied that an acceptable outcome can be reached through a provision in the code of practice.”
As we sit here today, however, how can we be content as a Committee? We do not have the information and detail to assess whether the Information Commissioner is correct. I have the utmost respect for him and for his role as a champion and safeguard. It is clear from his comments that he has concerns. Questions remain because we do not know the detail of the code of practice and because of other points that I will come on to.
We are not debating the details of the code of practice today. Under Government new clause 11, Parliament will have no scope to review, scrutinise or assess the reasonableness of the code, on which a huge amount of reliance is placed. That is not an acceptable situation, which is why the amendment tabled by my right hon. and learned Friend the Member for Sleaford and North Hykeham is so important. It would provide the additional protection of consideration and approval of the code by Parliament.
My second point concerns the status and effectiveness of the code. Subsection (3) of Government new clause 11 states merely:
“A public authority must have regard to the code”.
It does not say that a public authority must comply with the code. The Information Commissioner might be given rights in the code of practice, but, given that the public authority will need only to have regard to the code, what teeth, in the form of sanctions, will the commissioner actually have?

Vernon Coaker: I draw the hon. Gentleman’s attention to the Data Protection Act. As he is aware, it contains a number of sections dealing with the enforcement powers that are available to the Information Commissioner, to ensure that the requirements of the Act are properly fulfilled.

James Brokenshire: I am grateful to the Minister for highlighting that. I want to be clear that the language in the Bill refers to compliance and that the Information Commissioner will have the ability to go in and inspect of his own volition, not only if a complaint is made to him. The Minister has met the commissioner and Members of the other place, who made the point that it was appropriate for the commissioner to have that right. I know that the Minister was exploring that possibility, but Government new clause 11 falls short of it. I note the comments in the commissioner’s letter on the subject.

Vernon Coaker: The hon. Gentleman makes a reasonable point, but I point out that the Information Commissioner is able to investigate such matters of his own volition, or following a request, under the Data Protection Act.

James Brokenshire: I know that the issue of whether the rights and responsibilities of the Information Commissioner include the ability to undertake actions of his own volition has been a topic of debate. I am aware that the Minister’s colleague, Baroness Scotland, said in the other place that she believed that such rights exist. Questions about that were raised in the other place and in discussions with the commissioner, however. I therefore think that it would be appropriate to dispel any doubts by including in the Bill the specific provision envisaged in new clause 12. That is why we have sought to continue the debate, which started in the other place, about the necessity of such a measure.
I look forward to the Minister’s response. We need to ensure that we have robust protection and that the Information Commissioner has the authority to investigate potential breaches of the Bill in the context of the Data Protection Act. We need assurance that if there are breaches, the Information Commissioner will be able to discover them and ensure compliance.
I also note the comments of the Audit Commission, which said that it would welcome the involvement of the Information Commissioner in relation to other aspects of the Bill, including data matching. That is welcome.

Vernon Coaker: I was just trying to find the relevant bit of the Data Protection Act, under which the Information Commissioner can act of his own volition. I refer the hon. Gentleman to section 43(1)(b), which deals with what the commissioner may do if he
“reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles”.
The only point of difference is that we believe that the Data Protection Act already allows the Information Commissioner to act of his own volition, should he believe that the principles contained in the Act are being broken.

James Brokenshire: The Minister makes a valid point in relation to the Act, but a subtle distinction can be drawn from this discussion, because although the Information Commissioner is able to request the information, it is then a matter of whether he can go into the premises or inspect the books and records of the person to ensure that they are complying. That is the distinction drawn between the Information Commissioner’s ability to request information of his own volition and his ability to go in or make unannounced visits to be able to ensure compliance, which is slightly broader than the terms of the Act allow. However, that is one reason why there has been an ongoing debate about this aspect of the legislation and why there is still concern about the robustness of the protections afforded. That concern is highlighted particularly when we consider the extension of the relevant rights and powers in the Bill.
My third point relates to how proposed new clause 11 would work in practice. How many specified anti-fraud organisations would there be? What criteria would be applied in deciding whether a particular organisation is suitable for public bodies to share information with it? What scrutiny would be applied to the decisions made by the Government in choosing particular anti-fraud organisations? What reviews would be undertaken to ensure that such anti-fraud organisations remain appropriate? Why have the Government also not chosen to specify anti-fraud organisations by order—they have left more general phraseology in the Bill—so that there could be clarity and certainty about whom we are talking about?
As I have highlighted, it has been suggested that CIFAS may be an appropriate body with which the Government may wish to share information to combat fraud. There is no doubt that CIFAS is a long-standing, well-respected organisation. I pay tribute to its work, but if it or any similar organisation is considered an appropriate body, a number of practical and legal issues need to be properly considered, whether in the context of the code or the provisions in the Bill.
Can the Minister confirm that an organisation chosen as a specified anti-fraud organisation would not, in essence, be subsumed within the state? CIFAS is a private organisation owned by its individual members. As a consequence of any extension of the data sharing that CIFAS operates, its members who own it would ultimately have to consider carefully what it would mean if the Government became a very large member of that organisation. I would not wish to see a creeping mechanism, whereby existing private sector bodies that already share information for the purposes of combating fraud are suddenly subsumed and become another part of the state. That would be an unfortunate and unintended consequence of the proposals that we are debating today.
There is also the issue of how indemnities and insurance would apply. As I understand it, at the moment the individual members of CIFAS give an indemnity to it and to its other members to deal with any potential liability that may result from information that is flagged up by CIFAS. For example, if it can subsequently be shown that information that was incorrect and potentially defamatory was put on to the CIFAS system and shared, a legal action may result.
Obviously it is not in the general nature of Government or the state to give indemnities. Therefore, I would appreciate it if the Minister could confirm whether this issue of indemnities has been given consideration in the context of how data sharing would apply, so that, for example, non-governmental members of the relevant organisation would have some sort of remedy or right of action if they are subsequently subject to legal proceedings as a consequence of having relied on information provided by the Government. We need to know how the system would operate in practice.
I am aware that insurance does operate in this area and that that may be an appropriate mechanism for dealing with this potential problem, but I should appreciate it if the Minister would give some further background on this issue.
As I have already highlighted in my previous comments, compliance with the CIFAS code is an essential element of ensuring the robustness of the whole approach to combating fraud. One of the mechanisms that makes the CIFAS database work is the ability to ensure that its members comply with its code by providing and sharing data. That provision of information is a key aspect of CIFAS; a member cannot simply join CIFAS and then just take information without also giving information. In other words, it is a two-way process, and there is also an audit mechanism to ensure that information is shared.
If the Government were to join an organisation such as CIFAS, becoming a significant member, what practical measures could be taken to ensure that public sector bodies comply with codes of practice, given that such codes may well be very significant in their scale and nature? Returning to the point about corporate governance that I have previously highlighted, I believe that compliance with these codes of practice is essential to ensure both protection for the public and that the system operates effectively in its intended purpose of combating fraud.
Another key aspect of this issue is training, to ensure, first, that accurate data are put on any database and shared with private sector bodies and, secondly, that people know how to interpret information that is put on or flagged up on a database. It is vital that we do not take the approach of creating lists that are, in some way, watch lists, so that those lists, either because incorrect information is added to them or information is interpreted in an appropriate way, then have a significant impact on the ability of an individual to obtain services from the private sector and to obtain assistance, support and welfare benefits from the public sector. Therefore, what assurance can the Government give that the necessary support and training will exist to ensure that such a problem will not happen?
A separate point is access. Who, within Government, would have access to the CIFAS database? Would access be limited to certain designated officers, whose responsibility it is to combat fraud? I ask that question because I understand that in the existing systems, organisations and arrangements for data sharing within the private sector the access to any individual database would normally be limited to certain members of senior management and certain key individuals, and that such access is not generally made available. Again, I am seeking the Minister’s reassurance as to how the measure is intended to operate in practice, and whether it is the Government’s intention that data sharing will be restricted to relevant individuals, and that the information will not be used for purposes other than fraud detection.
There is also a wider point to be made about article 8 of the European convention on human rights. The Joint Committee on Human Rights has noted that
“the power of public authorities to share information with anti-fraud organisations is drafted in terms too general to satisfy the requirement in Article 8 ECHR that interferences with the right to respect for private life be sufficiently foreseeable. Unless the law enabling the sharing of information indicates with sufficient clarity the scope and conditions of exercise of the power of disclosure, any interference with the right to respect for private life will not be in accordance with the law and will therefore be in breach of Article 8.”
I know that the Government have tabled various amendments, and I should be grateful if the Minister would confirm that he is satisfied that the Joint Committee’s concerns have been addressed, and that the Government feel that the provisions comply with the convention.
I am sorry to have detained the Committee at length on the clause and amendments. The issue is serious and significant, and it requires detailed scrutiny and examination to ensure that we do not create a measure that goes further than intended. I hope that the Minister will respond favourably to a number of the points that have been made and set out the Government’s intention in further detail, and say how the concerns expressed both inside and outside the House will be dealt with by other means.

Jeremy Browne: I know the premium that you place on brevity, Mr. Bercow, so I shall not detain the Committee for longer than necessary or go over the same ground as the hon. Member for Hornchurch.
The hon. Member for Colne Valley made a useful intervention about the balance that needs to be struck between consideration for the rights of the individual and the collective rights of society, which has been a theme of our deliberations during the past couple of weeks. There is more scope for satisfying both sides of the equation on this measure than on parts of the Bill that we have debated.
We all begin with the assumption that we should tackle fraud—it is a criminal activity, it inconveniences individuals and it costs the public purse a considerable amount of money. The question is how to tackle fraud in such a way as to ensure that individuals are protected as they would wish. In that regard, it is sometimes difficult to strike the perfect balance, because an individual may give his or her details to a state agency for a specific and limited purpose, and they would not want those details to be more widely shared. However, they might then go to another state agency and express frustration that their details have not been passed on, and complain that the state was inefficient because it did not process their details to make their life more convenient. People’s expectations can be conflicting, and it is difficult for us legislators to satisfy competing and overlapping demands.
There is scope for progress on the matter because we have started from the point that we all want to reduce and combat fraud. The Liberal Democrats welcome new clause 11, which we regard as a useful additional safeguard.
Finally, the hon. Member for Hornchurch spoke about the Credit Industry Fraud Avoidance System and organisations of that type. CIFAS’s work is extremely valuable and offers good value for money to its member organisations because of the costs of belonging and the benefits. My concern, not necessarily with CIFAS but with other organisations undertaking similar work, is that it is difficult for an individual turned down for a loan, mortgage or some other service to work out why they have been rejected.
There appears to be a secret blacklist, although every organisation says, “No, it’s nothing to do with us; it’s not something that we’ve done,” when one is trying to find out whether someone who lived previously at one’s address failed to pay their council tax in full, or whatever it is. It is hard for people to get to the bottom of why they are on some sort of list denying them access to services, loans and so on that other people can access with greater ease. There are genuine issues about protecting the individual. It is not just namby-pamby liberal sentiment—I do not find anything namby-pamby liberal sentiment, but I know that other Committee members take a harsher view of my instincts—it is about taking a harder-edged approach to the matter.
In the House of Lords, where the issue was discussed at length, the Liberal Democrats expressed strong reservations about function creep, which has been mentioned today, and the potential for data mining and profiling, which appear to be contrary to the second and third principles of the Data Protection Act 1998. The second principle is that
“data shall be obtained only for one or more specified and lawful purposes”,
and the third that
“data shall be adequate, relevant and not excessive”.
We must take care to have regard to those principles.
I was pleased that on Second Reading in the House of Lords, Baroness Scotland sought to reassure the House that profiling was not the aim, saying that
“we will ensure that the provisions are used to target suspected fraudsters rather than simply those who are potential fraudsters.”—[Official Report, House of Lords, 7 February 2007; Vol. 689, c. 733.]
That is a useful distinction. We do not want the Government trawling as widely as they can in the hope that they might pick up something somewhere, without a realistic expectation in terms of intelligence that that will be the case.

Vernon Coaker: I was going to answer that point in my response to the hon. Member for Hornchurch, but perhaps I can reassure both hon. Gentlemen now. The Government made an amendment to the Bill in the House of Lords limiting the ability under section 32A(5) of the Audit Commission Act 1998 to identify patterns and trends suggesting a potential for future criminality. We have listened and made an amendment. I hope that that reassures the hon. Gentlemen.

Jeremy Browne: Rather than saying it just as a nicety, I am genuinely grateful for the Minister’s intervention and for how he has approached the whole of this part of the Bill. Attempts have been made to listen, both in the House of Lords and in private discussions about the concerns raised. The Liberal Democrats support new clause 11, and we welcome the fact that the Government have tabled it.
I have a few points to make to clarify aspects of new clause 11 before I bring my remarks to a close. I shall try not to go over the ground covered by the hon. Member for Hornchurch, who raised a number of points, all of which I thought valid. I shall be interested to hear the Minister’s response. He mentioned that bodies must have regard to the code, but asked who would monitor compliance. In addition, I should be interested to know what provision will be made to identify and police violations of the code. If we require organisations to have regard to it but have no measures or means to test whether they are doing so—or, better still, are complying with it—the code will have no teeth.
I shall be cautious in my second point, because it will come up in connection with the amendments to schedule 7that I have tabled, and I suspect, Mr. Bercow, that you would rather it were discussed at that point. The Bill says that the code should be reviewed “from time to time” only. I shall say no more at this stage, but my proposed amendments to schedule 7 would set a time scale on an otherwise extremely vague and unspecific undertaking. I should be interested, either now or when we debate schedule 7, to hear the Minister’s thoughts about whether a time scale is appropriate and could be added to toughen up the application of the provisions.
The final point that I want to raise with regard to new clause 11 is what ability Parliament will have under the new clause to scrutinise the making of the code for data sharing and whether we as elected representatives of the people will have input into that process. Although I welcome new clause 11, and the generally constructive approach that the Government have taken to part 3, some reassurance on this matter would be helpful to the Committee.

Vernon Coaker: Good morning to you, Mr. Bercow, and to all the Committee. It is nice to see the sun shining in for a change. I start by congratulating the hon. Member for Rugby and Kenilworth on his promotion. It is very richly deserved, if I might say so. Just before his Whip gets up, can I say that I would advise him to take more notice of the way in which the hon. Member for Reigate operates as a Whip than the way in which his right hon. and learned Friend the Member for Sleaford and North Hykeham operates. Indeed, if he wants further promotion, I suggest that he take that on board.

Crispin Blunt: I should point out that the lecture on loyalty read by my right hon. and learned Friend to the parliamentary Conservative party while in government has gone down in history.

Vernon Coaker: I will leave it at that.
I should like to make a general point before making some formal comments. I appreciate what the hon. Member for Taunton has just said and the spirit in which the hon. Member for Hornchurch approached the debate. We have tried to listen throughout the progress of the Bill, and have made a number of amendments. Clearly, there are still differences and matters on which we do not agree, but the Government have tried to amend the legislation as it has progressed to take account of concerns voiced both in Parliament and outside, and to strengthen the Bill further.
I take the point made by hon. Members that the important thing is the balance that we establish between personal privacy and the right to that privacy and, as my hon. Friend the Member for Colne Valley pointed out earlier, how we ensure that we prevent and detect fraud. As my hon. Friend rightly pointed out, it is an important and difficult balance to strike, but an extremely necessary one.
The hon. Member for Taunton and my hon. Friend the Member for Colne Valley pointed out that sometimes our constituents do not ask us about how we defend the privacy of individuals, but instead say that they cannot believe that information is not being shared that would lead to the prevention and detection of fraud and would be of benefit to us all. Although it is difficult, my hon. Friend was right to remind us, as other hon. Members accepted, that in striking that balance we must remember the rights of those who are victims of fraud, which we all are if, for example, somebody is defrauding the benefits or tax credit system, or any other type of Government Department activity.
I have tried in interventions to answer some of the points that the hon. Members for Hornchurch and for Taunton made. One of the crucial points concerns the Information Commissioner being able to investigate problems if he feels that there is one. Without repeating myself, I believe that the Data Protection Act gives the Information Commissioner the opportunity to do that. The hon. Member for Hornchurch asked about compliance. I point out to him that it is not in the interests of data controllers who have registered to refuse to comply with an enforcement notice or an information notice if they wish to satisfy the Information Commissioner that they are complying with the Act. Failure to comply with an enforcement order or an information notice is an offence under section 47 of the Data Protection Act, which gives the Information Commissioner the teeth to enforce it. The hon. Gentleman also asked whether the Information Commissioner can apply for a warrant to enter premises. Yes, he has the power to do so if he has reasonable grounds for suspecting contravention of the principles of the Data Protection Act.
The hon. Gentleman asked whether we expect there to be more than one specified anti-fraud organisation and the answer is yes. CIFAS may be used as the model for a specified anti-fraud organisation, but there could be others. I and other hon. Members have met representatives of Experian, which is also very interested in being involved, as Baroness Scotland made clear in the other place.
The hon. Gentleman also asked about the threshold that has to be met for the sharing of information in the CIFAS model: it is met when the reporting organisation believes that there would be sufficient evidence to report the matter to the police. Another body may choose a different threshold, but that would be a matter for the code to consider.
The hon. Gentleman asked about the problems of data quality when sharing information. All data sharing must comply with the Data Protection Act, the fourth principle of which is that
“Personal data shall be accurate and, where necessary, kept up to date.”
There is thus a requirement to try to overcome some of the problems of quality to which the hon. Gentleman referred.
The Information Commissioner can enforce sanctions and penalties if public authorities breach the code. If members do not comply with CIFAS’ rules they can be made to leave the organisation. If we specify an anti-fraud organisation and its members do not conform to what is required of them, it can be unspecified. An organisation is required to ensure that it meets the standard that we expect it to meet.
On the issue of being subsumed, it is important to remind the Committee that no public authority will be compelled to be part of or to share their information with a specified anti-fraud organisation. It will be a matter for them to decide whether it is appropriate and helpful for them to do so.

James Brokenshire: My point was about a specified anti-fraud organisation in the private sector that is run by its members. If public authorities become members of such an organisation, they could form the majority of its membership and have the ability to influence the direction of that specified body and its compliance with the rules. That is why I expressed concern about corporate governance. We should ensure that the powers, rights and rules in the code of practice of an existing private sector body that undertakes this work could not, through a takeover of its shares or its membership, be subverted as consequence of the expanded membership, taking into account that that might include public authorities.

Vernon Coaker: That is a fair point. We would not want a specified anti-fraud organisation to be subverted in any way. It would be required to act in an appropriate, proportionate and proper manner, whoever its members were.
The hon. Gentleman asked about training. Again, CIFAS will train the relevant staff and all new members will be trained to use the database appropriately and safely. He also asked who would have access to the database. He was right to point out that a specified person or persons will be the link between private sector bodies and CIFAS. We are considering what should be included in the code of practice to see how it would work when the number of people who can be a part of such schemes has been extended. As I say, it is important always to remember that we need to set up an organisational structure that has at its heart the prevention and detection of fraud, and we need to consider how that can be done appropriately.
On compliance with the ECHR, specifically with article 8, we believe that the production of a code of practice will achieve the legal certainty that is sought.
The hon. Member for Taunton asked how people would know what information was being kept on them—for example, whether they had been refused credit. Under section 7 of the Data Protection Act, the subject has rights of access for any data held, and under section 14 of that Act people have the right to apply to a court if data are inaccurate, and the court can order that the information be changed, rectified or destroyed.
I think that I have answered most of the specific questions. I turn now to the amendment and the new clauses. I was grateful to hear the comments of the Committee about Government new clause 11; we listened to what was being said and decided to introduce what, essentially, is a code of practice, although there may be still be disagreements between us on how it is to be implemented.
Amendment No. 154 would prevent any data sharing, as provided for in clause 63, until a code of practice governing the sharing of information had been published. It would also require a draft of the code of practice to be laid before Parliament and to be approved by a resolution of both Houses before it could be published. I wrote to members of the Committee on 27 June enclosing a copy of the code of practice amendment that now forms Government new clause 11. The new clause requires the Secretary of State to produce a code of practice covering the disclosure of information by public authorities through specified anti-fraud organisations. Any public authority data sharing through a specified organisation must have regard to the code. The new clause also contains provisions to require the Secretary of State to lay the code and any alterations to it before Parliament, and to consult the Information Commissioner and any specified anti-fraud organisations on the code’s content.
On the assumption that the new clause is accepted, I believe that requirement in the first part of the amendment—proposed new subsection (1A)—would be met. I assure the Committee that data sharing will not take place unless a code is in place. I therefore suggest that there is no need for a further amendment to require the code of practice to be published before disclosure of data takes place.
I turn to the second part of the amendment, proposed new subsection (1B). The Information Commissioner—the independent regulator and guardian of the Data Protection Act—has said he is content with the provisions of new clause 11. Indeed, the hon. Member for Hornchurch mentioned the letter that I shared with the Committee. The Information Commissioner will have to be consulted on the code’s operation, and I question whether it is necessary or right for Parliament also to be asked to approve it. Such a course would, I suggest, tend to undermine the authority of the commissioner, whose very purpose is to promote the following of good practice by data controllers, and in particular to perform his functions so as to promote the observance of the requirements of the Data Protection Act 1998.
The Information Commissioner answers to Parliament, and can report to the House if he is unhappy with the way in which the powers are being used. We can rely on the Information Commissioner to ensure that the code of practice is fit for purpose. A copy of the code and any alterations to it will be laid before Parliament.
New clause 11 requires the Secretary of State to prepare a code of practice to which all public authorities sharing information with a specified anti-fraud organisation must have regard. Before I go into the details of the provisions, I want to explain the background. On 18 April, while the Bill was being considered in the other place, I met Richard Thomas, the Information Commissioner, with Baroness Anelay and Lord Lucas of Crudwell and Dingwall to discuss its data matching and sharing provisions. During that meeting, the Information Commissioner intimated that he would expect to see a code of practice in place, with the data sharing provisions set out in clause 63. There was already a requirement in the Bill for a code for the data matching provisions set out in schedule 7.
It seemed anomalous to the Government that there should be a code of practice for one set of circumstances and not for the other. I therefore undertook to bring forward an appropriate amendment and new clause 11 is the result. The new clause focuses mainly on the central point that it requires the Secretary of State to prepare a code of practice for public authorities sharing information as members of a specified anti-fraud organisation. It will apply to public authorities whether or not they are using the gateway provided by clause 63. Thereafter, it sets out a number of conditions relating to the code. First, when preparing or changing it, the Secretary of State must consult the Information Commissioner, any specified anti-fraud organisation and any other persons as the Secretary of State sees fit to consult. Secondly, public authorities sharing information through a specified anti-fraud organisation will have to have regard to the code. Thirdly, the code must be laid before both Houses of Parliament and published.
The new clause provides an additional safeguard for the disclosure of information by public authorities to a specified anti-fraud organisation. The purpose of clause 63 is to assist in the prevention of fraud. However, at the same time we are keen that the arrangements should retain public confidence, and the code of practice and adherence to it are important parts of the process. I hope that the Committee will support the new clause.
The hon. Member for Arundel and South Downs (Nick Herbert) tabled a new clause 12, which would amend the Data Protection Act to give the Information Commissioner the power to assess of his own volition any data processing under sections 63 to 67 of the Serious Organised Crime and Police Act 2005. The amendment would affect both the data sharing and the data matching provisions of the Bill, and we believe that it is unnecessary in both respects.
I wrote to members of the Committee on 27 June enclosing a copy of the letter from the Information Commissioner. That confirmed his contentedness—is that the right word? I am always nervous with you and vocabulary, Mr. Bercow—his contentment with the proposed amendment, while expressing a preference for, but not an insistence on, a legislative basis for access to audit and inspection. The Government do not think that it is appropriate or necessary to make additional statutory provision for the Information Commissioner. As I have said, the Data Protection Act already provides him with robust and extensive powers, and I have tried to cover those without going through all of them again.
New clause 11 takes account of the issues that were raised in the other place and outside—hence the requirement for a new code of conduct to be published—and I hope that the Committee will see its way to supporting it. However, for the reasons that I have given, I ask it to resist new clause 12 and amendment No. 154.

Douglas Hogg: I welcome the fact that, in new clause 11, the Government have made some movement in the direction that I have suggested. However, I do not think that it is sufficient; they have not moved far enough. My reservations can conveniently be summarised as follows.
First, although the code is to be published and laid before Parliament, the new clause does not provide an inevitable opportunity for Parliament to debate it. In reality Parliament will not debate it, save in the margins of another debate. There will certainly be no necessary debate as is envisaged in my amendment. The code will be laid before Parliament, but that will be the extent of parliamentary involvement.
My second point overlaps with the first. A vote in Parliament will not be a necessary precondition of the code coming into operation. In a matter of such importance, Parliament should have the opportunity not only to debate but to vote on the coming into operation of the code.

Jeremy Browne: I wonder whether I can draw on the right hon. and learned Gentleman’s experience. I understood that the Minister gave the Committee reassurance on the matter of the code not being introduced in advance. The right hon. and learned Gentleman seems to think that there are still loopholes or grounds for concern.

Douglas Hogg: No; I think we may be at slight cross-purposes. I hope that I have not misled the Committee. My understanding is that, as the Minister said, data sharing will not come into operation until the code has been published. That is to say, publication will be a necessary precondition of the operation of the new scheme. My point is slightly different: it is that Parliament should have the opportunity to approve the code by an affirmative resolution before the scheme comes into operation. There is a fundamental difference. The Minister says that the publication of a code, which is an Executive action, will be a sufficient precondition. My position is that the vote of Parliament should be a necessary precondition.
I hope that I have summarised the position fairly; I do not want to be unfair to the Minister. In the end, it comes down to a person’s view on the relationship between Parliament and the Executive. The Minister is proposing an Executive action. His position has moved—it would be churlish not to acknowledge that—but the safeguards, as far they exist, are primarily Executive, not parliamentary. He made the perfectly fair point that the Information Commissioner reports to the House of Commons, which is true, but the House will not have an automatic opportunity to debate a motion incorporating the commissioner’s critique of the code.
We come back to where we often are. The Government are asserting the need of Executive control and I am asserting the need of parliamentary control. The matter is one for the Committee. I shall not press the amendment to a Division, because the Whips have left and we are short in numbers, but that does not mean that I shall not return to the matter on Report.
Ultimately, I stand for the sovereignty of Parliament. The Prime Minister is making a great deal of the fact that he does too, and we shall each make our own judgment on the plausibility of that statement. The clause provides an opportunity to show that they mean what they say, and they are manifestly failing to do so. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

John Bercow: As the hon. Member for Hornchurch rightly anticipated, I was not minded to allow a clause stand part debate if there had been a full and thorough debate on the amendments. The matters have been comprehensively considered.
The Chairman, being of the opinion that the principle of the clause and any matters arising thereon had been adequately discussed in the course of debate on the amendments proposed thereto, forthwith put the Question, pursuant to Standing Orders Nos. 68 and 89, That the clause stand part of the Bill.

Question agreed to.

Clause 63 ordered to stand part of the Bill.

Clause 64

Offence for certain further disclosures of information

Douglas Hogg: I beg to move amendment No. 155, in clause 64, page 34, line 33, leave out subparagraph (ii).
First, I seek information, Mr. Bercow. At what time do you normally adjourn the Committee on a Thursday morning?

John Bercow: At 10.25 am.

Douglas Hogg: It would be convenient if we could finish this matter, so I shall be as brief as possible.
Hon. Members may ask the purpose of the amendment, but it is perhaps more important than they have spotted because it goes to the freedom of the press. I hasten to say that in my previous incarnation as a Minister I have suffered from the press, and I am no greater liker of them even though my wife was a journalist and I worked with the press for many years as a libel lawyer. Notwithstanding the fact that I do not like the press, I recognise that a free press is an essential ingredient in a democratic society and that one has to put up with an awful lot of nonsense in the recognition of that principle. Part of the safeguard that one has from the operation of a free press is the number of leaks that they receive from within Government organisations and the publication of those leaks. Those who have been or who are in government frequently dislike leaks. However, leaks sometimes serve a very important purpose.
Incidentally, let me say in parenthesis that when Departments start leaking, it normally points to low morale and, very often, poor ministerial leadership, which is something that the Home Office under the former Home Secretary might reflect upon. We will not go into that because I can see that you are getting to your feet, Mr. Bercow. I have a curious habit of irritating you; I am so sorry.
We have to recognise that leaks are important to safeguard liberty. It is against that background that one must look at clause 64(1)(b)(ii) because it makes it wholly plain that in the situation in which a journalist is in receipt of a leak from within the designated public authority and then publishes that leak, that journalist will be committing an offence. The punishments that may be visited on that journalist are not slight. Clause 65(1)(b) states that the journalist may on conviction be subject
“to imprisonment for a term not exceeding two years or to a fine or to both.”
Incidentally, the fine is unlimited. Therefore, in principle, the journalist can be exposed to an unlimited fine and sentenced to up to two years in prison.
The Minister will say that there is safeguard in clause 65(2), which states that the prosecution can only take place with the authority of the named individual, such as the Director of Revenue and Custom Prosecutions or the Director of Public Prosecutions. I personally do not find that a satisfactory safeguard, not least of all because both the DPP and the Director of Revenue and Custom Prosecutions in their collective position might well have an interest.
That then takes one to what could be the nature of the leak. Anybody who knows anything about Government can see that any type of leak is possible, but they certainly include the following: the fact that the Departments are grossly incompetent; that the systems are wholly haywire; that individuals are corrupt; and that policies are wholly mistaken or not working.
Let us look at the Child Support Agency. Its incompetence and failures might well feature in a leak. Is it really to be said that the press should not be able to report such matters from a leak? Let us stand back and say, “We have a problem here because of the confidential nature of the information.” There is a public interest here in not rendering criminal the journalist who publishes the leaked information, which may well be in the wider public interest. Where then is the protection?
I have already said that the prosecutions have to be made with the authority of the named individuals. The only defence that is provided for is in subsection(4). It states:
“It is a defence for a person charged with an offence under this section to prove that the person reasonably believed—
(a) that the disclosure was lawful; or
(b) that the information had already and lawfully been made available to the public.”
The latter does not arise in the case of leaks because leaks, by definition—or at least usually—are of unpublished material. It is very difficult to see how a leak can be described as lawful when in fact the process of leaking is said to be an offence. Therefore, the truth is, as I understand it, that there is no defence available to the journalist who publishes a leak. Is that really what the Committee wants to do? I rather question that. It is in that spirit that I have moved my amendment. I think that it is a matter of some importance.

James Brokenshire: I wish to speak briefly in support of the amendment. My right hon. and learned Friend raises an important issue on which I hope the Minister will respond and give some clarification. In particular, he highlighted the issue of whether the disclosure was lawful. I hope that the Minister might be able to give some indication of whether, for example, provisions relating to whistleblowing might be such that they make the disclosure of such information lawful pursuant to provisions in other statutes, and to give us some other background.
Clause 64 talks about protected information. In subsection (5), we discover that the definition of protected information is drawn somewhat widely and can be extended even further inasmuch as in subsection (5)(b) it includes
“any specified information disclosed by a specified public authority.”
That is further defined as meaning
“information specified or described in an order made by the Secretary of State”.
My right hon. and learned Friend makes a valid point about what that is intended to cover. If the Secretary of State can then expand it by order, we need to consider the provision carefully.

Vernon Coaker: I am afraid that I will have to resist amendment No. 155. Clause 64 introduces an offence for certain further disclosures of protected information, such as taxpayer information. Clause 64(1)(b)(ii) ensures that if a person receives information from a public authority, directly or indirectly, that information remains protected by the offence of wrongful disclosure. As the right hon. and learned Member for Sleaford and North Hykeham pointed out, there is a defence in clause 64(4) that somebody believed that it was lawful to disclose the information.
In the end, the point that I hope will reassure the right hon. and learned Gentleman is that it will be a matter for the prosecuting authorities to decide whether it would be in the public interest to prosecute somebody who has disclosed that information. Otherwise, we are saying that people can disclose information on the basis that they believe that it is good journalism and that in their opinion sensitive personal information could be disclosed and put in the public arena in an inappropriate way.
Amendment No. 155 would remove an essential part of the protection that the clause provides for information being shared. It would mean that if a person made an unlawful disclosure of the information they would not be caught by the criminal offence because they were not the original recipient of the information but instead received it indirectly. That would create a loophole in the Bill that I do not think that the Committee would wish to see, so I ask the right hon. and learned Gentleman to withdraw the amendment.

Douglas Hogg: I am not in the least bit satisfied by the reply. It is plain to me that the provision does catch leaking. The only defence for anything offered by the Minister to the potential leaker is that a person who might have an interest in preventing the leak will be the person responsible for deciding whether or not there should be a prosecution. I have never heard of a shallower defence than that. The point that my hon. Friend the Member for Hornchurch made about enlarging the class of information that could be caught is extremely sound. We shall not divide the Committee on the amendment, mainly because there are only two of us—three, if the Liberal Democrat voted with us, as I hope he would—to vote for it. I hope that the House will revisit the matter on Report and so I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 65

Penalty and prosecution for offence under section 64

James Brokenshire: I beg to move amendment No. 178, in clause 65, page 36, line 6, leave out ‘two’ and insert ‘four’.
Clause 65 deals with the penalties for breach of clause 64. In that context my comments about the amendment tabled by my hon. Friend the Member for Arundel and South Downs—

It being twenty-five minutes past Ten o’clock, The Chairman adjourned the Committee without question put, pursuant to the Standing Order.

Adjourned till this day at Two o’clock.